Is Data Breach Fatigue a Real Thing?

News of a new information breach, or data security threat, seems to break almost daily whether in Australia or internationally. Some are major scandals, think of Cambridge Analytica or the exposure of Australian Government files in the Cabinet Files breach, whereas others affect a smaller number of individuals or companies.

Whilst major breaches do hit the ‘airwaves’ and create significant media interest, there is some evidence that the frequency and scale of these events are causing indifference. Research conducted in the US has shown that consumers appear to be experiencing data breach fatigue[i].

The growing number of notifications under the NDB have made customers aware of instances where a breach of personal information has occurred. Under the scheme, entities have data breach notification obligations when a breach is likely to result in serious harm to any individuals whose personal information is involved.

The sectors which reported the most breaches for the period were the private health sector with 49 notifications in the quarter, followed by the finance sector with 36 notifications. This is particularly interesting in light of research commissioned by Shred-it, the 2018 Shred-it Security Tracker Report, which found that the vast majority of Australians feel that data protection is very important when making decisions about choosing service providers in banking (93 percent) and health service providers (84 percent).
The report shows that the main causes of data breaches to be malicious or criminal attacks (142 notifications or 59 per cent), followed by human error (88 notifications or 36 per cent). This demonstrates that strong policies and training for employees are important.

The regular quarterly reporting of breaches, and the fact that the OAIC has noted that it will consider appropriate regulatory action in cases of non-compliance, is likely to focus the attention of businesses on information security.

The Security Tracker report demonstrates that consumers have very high expectations of their service providers and trust them to protect their personal data, so the fact that reports of breaches are so numerous is worrying.

There is an onus on businesses, organisations and governments to care about data breaches and do everything in their power to prevent them from occurring. This includes using secure destruction of paper-based information and old electronic devices, implementing strong cyber security measures and having strong information security policies.